Fibre Channel address weaknesses
Now that we have established that attacks don't change, but they do get modified, let's discuss another attack that stems network and application history. Manipulation of the 24-bit fabric address can cause significant damage and denial of service in a
Each node in a SAN has a 24-bit fabric address that is used for routing, among other things. Along with routing frames correctly to/from their source and destinations, the 24-bit address is also used for name server information. The name server is a logical database in each Fibre Channel switch that correlates a node's 24-bit fabric address to their 64-bit WWN. Additionally, the name server is also responsible for other items, such as mapping the 24-bit fabric address and 64-bit WWN to the authorized LUNs in the SAN. Furthermore, address information is also used for soft and hard zoning procedures (discussed in the Chapter 4, "SANs: Zone and Switch Security"). The 24-bit fabric address of a node determines route functions with soft and hard zoning procedures, specifically if a frame is allowed to pass from one zone to the other. While there are several other uses of the 24-bit address, the use of the address in name servers and zoning procedures are by far the most important in terms of security.
The major issues with the 24-bit address is that it is used for identification purposes for both name server information and soft/hard zone routing, almost like an authorization process, but it is an entity that can be easily spoofed. Using any traffic analyzer, the 24-bit source address of a Fibre Channel frame could be spoofed as it performs both PLOGI (Port Login) and FLOGI (Fabric Login) procedures.
In Fibre Channel, there are three different types of login—Port Login, Fabric Login, and Node Login. Two can be corrupted with a spoofed 24-bit fabric address. Before we discuss how spoofing disrupts these processes, let's discuss the login types first.
FABRIC LOGIN (FLOGI), PORT LOGIN (PLOGI), AND NODE LOGIN (NLOGI)
The Fabric Login (FLOGI) process allows a node to log in to the fabric and receive an assigned address from a switch. The FLOGI occurs with any node (N_Port or NL_Port) that is attached to the fabric. The N_Port or NL_Port will carry out the FLOGI with a nearby switch. The node (N_Port or NL_Port) will send a FLOGI frame that contains its node name, its N_Port name, and any service parameters. When the node sends its information to the address of 0xFFFFFE, it uses the 24-bit source address of 0x000000 because it hasn't received a legitimate 24-bit address from the fabric yet. The FLOGI will be sent to the well-known fabric address of 0xFFFFFE, which is similar to the broadcast address in an IP network (though not the same). The FC switches and fabric will receive the FLOGI at the address of 0xFFFFFE. After a switch receives the FLOGI, it will give the N_Port or NL_Port a 24-bit address that pertains to the fabric itself. This 24-bit address with be in the form of Domain-Area-Port address from, where the Domain is the unique domain name (ID) of the fabric, Area is the unique area name (ID) of the switch within the domain, and Port is the unique name (ID) of each port within the switch in the fabric. Table 2.3 shows how the 24-bit address is made.
Table 2.3 24-Bit addresses
|24-Bit Address Type||Description|
|8-bit domain name||Unique domain ID in a fabric. Valid domain IDs are between 1 and 239.|
|8-bit area name||Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.|
|8-bit port name||Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.|
A 24-bit address (port ID) uses the following formula to determine a node's address:
Domain_ID x 65536 + Area_ID x 256 + Port_ID = 24 bit Address
An example address for and node on the first domain (domain ID of 1), on the first switch (area ID of 0), and the first port (port ID of 1), would be the following:
1 x 65536 + 0 x 256 + 1 = 65537 (Hex: 0x10001)
After the node has completed the FLOGI and has a valid 24-bit fabric address, it will perform a Port Login (PLOGI) to the well-known address of 0xFFFFFC to register its new 24-bit address with the switch's name server, as well as submit information on its 64-bit port WWN, 64-bit node WWN, port type, and class of service. The switch then registers that 24-bit fabric address, along with all the other information submitted, to the name server and replicates that information to other name servers on the switch fabric. Figures 2.14 and 2.15 show the FLOGI and PLOGI processes.
Figure 2.14 FLOGI process.
Figure 2.15 PLOGI process.
A Node Login is somewhat similar to a Fabric Login, but instead of logging in to the fabric, the node would log in to another node directly (node to node communication). The node will not receive any information from the fabric, but will receive information from the other node as it relates to Exchange IDs (OX_ID and RX_ID) and session information (Seq_ID and Seq_CNT). After this information has been exchanged, the two nodes will begin to communicate with each other directly.
FLOGI, PLOGI, AND ADDRESS SPOOFING
Now that we have established facts concerning FLOGI, PLOGI, and address spoofing, let's understand how the weaknesses interrelate them. After performing the FLOGI process, an FC node needs to perform a PLOGI to the well-known address of 0xFFFFFC. The PLOGI then registers the 24-bit address of the node to the Name Server (also referred to as a Simple Name Server) of the switch. If an entity were to spoof their 24-bit fabric address and send it to the address of 0xFFFFFC, the switches would see a node performing a PLOGI. Once the switch receives the information from the PLOGI frame, it will register the spoofed 24-bit address of the node to the name server—thus, polluting the name server with incorrect information. You might wonder what the big deal is since the node has corrupted its own information; however, consider the fact that the 24-bit address is used for hard and soft zoning. For example, let's say the 24-bit address of 65537 (Hex: 0x10001) was allowed to route to nodes in zone A and no other addresses can access that zone. A malicious attacker has the address of 65541 (Hex: 0x10005) and cannot access that zone. The malicious attacker can spoof (change) their 24-bit address to match 65537 (0x10001) and then route frames to the restricted zone A, despite being unauthorized to do so. Spoofing the 24-bit address during PLOGI negates any route- based zoning rules that may have been applied. The simple process of spoofing now creates the ability to route (hop) across hard and soft zoning rules. Figure 2.16 shows the FLOGI/PLOGI spoofing process.
Figure 2.16 FLOGI/PLOGI spoofing process.
We will take this idea a bit further in the next section, "man-in-the-middle Attacks," when I discuss the issues of spoofing the 24-bit fabric address and spoofing a node WWN. The fact is that this attack is very severe by breaking the integrity of any hard or soft zoning rules. However, a traffic analyzer is required to perform this attack, thus creating barriers to perform the attack itself.
Use the following table of contents to navigate to chapter excerpts or click here to view SANs: Fibre Channel Security in its entirety.
Securing Storage: A Practical Guide to SAN and NAS Security
Home: SANs: Fibre Channel Security: Introduction
1: SAN risks
2:Fibre Channel risks
5:Fibre Channel frame weaknesses
6:Session hijacking: assessment exercise
7:Fibre Channel address weaknesses
8: Fibre Channel man-in-the-middle attacks
9: Fibre Channel address weaknesses: assessment exercise
About the book: Securing Storage: A Practical Guide to SAN and NAS Security is an indispensable resource for every storage and security professional, and for anyone responsible for IT infrastructure, from architects and network designers to administrators. You've invested heavily in securing your applications, operating systems, and network infrastructure. But you may have left one crucial set of systems unprotected: your SAN, NAS, and iSCSI storage systems. Securing Storage reveals why these systems aren't nearly as secure as you think they are, and presents proven best practices for hardening them against more than 25 different attacks. Purchase Securing Storage: A Practical Guide to SAN and NAS Security the book from Addison-Wesley Publishing About the author: Himanshu Dwivedi is a founding partner of iSEC Partners, a digital security services and products organization. Before forming iSEC Partners, Himanshu was the Technical Director for @stakes San Francisco security practice, a leader in application and network security. His professional experience includes application programming, infrastructure security, and secure product design with an emphasis on storage risk assessment.
This was first published in April 2007